SSH Blog

During the Hackers On Planet Earth (HOPE) conference, Edward Snowden and Daniel Ellsberg called on insiders (employees) to spill corporate and government secrets. Snowden is calling for the development of encryption and obfuscation tools to make this easier. The goal is to anonymously expose malfeasance without any repercussions. They believe that people should be able to do this without paying any price and without being held accountable. Superficially this all sounds like a good idea, but who gets to decide what should be leaked or stolen and what constitutes improper behavior? What else could be leaked or…

Many companies have a mix of distributed platforms and mainframes (z/OS) in their environment. Most distributed users do not understand z/OS too well and don’t want to, but they still have to deal with it. This is a frustrating reality for distributed and z/OS users alike. That is until now!

We have come up with a solution for this type of problem based on customer feedback. Distributed and mainframe can now securely submit JCL jobs to z/OS by simply executing a put command from any distributed or z/OS platform. As requested, the distributed user does not need to know anything about z/OS to do this. Your z/OS system programmer can write some reusable JCL jobs for your distributed users to use, maybe with some easy to change parameters. Then any distributed user can submit a job from any platform or client without ever logging into a z/OS…

Since the mid 1990's there has been a talent drain in the Mainframe Security Administration field. Concerned IT Management, looking for ways of filling the void basically figured that automating User Provisioning and Credentials could fill the void. To meet the Customers needs Large Software Companies developed centralized Identity and Access management tools. In terms of the Mainframe it meant putting a common Windows GUI in front of ACF-2 Top secret and RACF for inexperienced Administrators to drag and drop ID's and…

It appears as though a hard-wired Secure Shell private key has created a bit of a kerfuffle for folks running Cisco's VoIP manager This one made it in the headlines but because the affected system was identified and limited in scope to a single product line, remediation steps can be quickly undertaken and the impact minimized. Now imagine if an entire data center had unknown or misplaced private keys floating about. Well, it is more common than you think and the risks are far greater because it’s not just a single product that has the issue, every server in your environment has the…

Back in the day when the enterprise security model was a hardened perimeter protecting the internal "trusted" network, security vendors seized on the notion that businesses need protection from their employees - the insider threat.

Studies were commissioned to show how much malicious insiders were costing businesses. More recent studies indicate the majority of data breaches are carried out by…

Many things seem impenetrable until a “small vulnerability” is exploited. The phrase “small vulnerability” almost sounds like an oxymoron when you think about it. Take the fable of one Luke Skywalker and the Death Star. In the story Luke exploited a small two-meter-wide thermal exhaust port in the Death Star’s design to destroy the ultimate weapon and break the back of the Galactic Empire in their moment of triumph. To make matters worse the Empire was warned about this “small vulnerability”, but the Galactic bureaucrats reasoned that the risk was small and the whistleblowers were overestimating rebels’ chances…

One of the major lessons learned from the Heartbleed Bug is just how vulnerable critical IT components, like encryption, are. The potential impact of these vulnerabilities can be severe and far-reaching. To make matters worse, a lack of management controls and visibility, especially in ubiquitously deployed software, enables cyber criminals…

FTP is one of the most significant security risks in many enterprise environments. Despite long standing open audit findings and internal mandates, a surprising number of organizations still pass customer data, credit card information, intellectual property and other sensitive information in the clear. Failing to prioritize the elimination of FTP can be traced to the misconceptions…

The major tube strike that was conducted in London during the first two days of Infosecurity Europe 2014 didn’t seem to have had an impact on the visitors count. Held from April 30 to May 1 at Earl’s Court, Infosecurity Europe is the biggest IT Security related exhibition in Europe, and supposedly brought close to 15,000 visitors there this year. And of course, we participated with a stand and speaking sessions, not to miss out on the opportunity to meet up with customers and…

By now anyone concernedwith internet security has heard about the Heartbleed security vulnerability in OpenSSL. What you may not be aware of is how much money and personal information is riding on this “free” security program and others like it (OpenSSH). Free is not usually a bad thing, but it can be when it causes the software your business depends on to be under resourced…

One of challenges security architects face is finding the right balance between security and end user convenience. This conflict is typified by the example of password policies. A too stringent policy drives users to write down their passwords on sticky notes (thus defeating the security objective) and a too weak policy leaves passwords exposed to cracking…

SSH Communications Security’s products are not affected by the Heartbleed flaw. Customers are advised to patch any server where the vulnerable OpenSSL software is installed.

Due to the pervasive nature of the Heartbleed vulnerability, the length of time the flaw has been in place and the broad access that an attacker could potentially obtain, SSH Communications Security is recommending that all Secure Shell keys used to establish trust relationship with affected systems should be changed immediately after the Heartbleed patch has been installed, and should be a part of your organization’s standard remediation…

How many times have we heard “the perimeter isn’t secure”? In fact, with BYOD, cloud and the extended enterprise, it’s hard to define what the perimeter is anymore. The concept of a porous perimeter that can’t be trusted is the foundation of the Zero Trust model of security and many organizations are adopting this approach. Here are five reasons why monitoring and controlling Secure Shell should be included in your organization's Zero Trust…

Growing up, we get a lot of conflicting advice. We are told “look before you leap” but also “nothing ventured nothing gained”. The book of clichés is littered with other examples. The world of Identity and Access Management is similarly conflicted. On the one hand, IAM should be transparent to the user and simple to administer. On the other hand, IAM must enforce the principle of least privilege. These goals are mutually exclusive. Why? It is just too complex to define specifically the fine grained access each user needs in order to perform their job and manage that access over time in a dynamic work environment. The result is too many job roles, too many exceptions and ultimately weaker, not stronger…

Like for any goalkeeper, the worse thing - other than a torn ACL - is getting scored on. During my playing days, I was obsessed with the concept of how to organize my defense in a way to minimize goals against as well as minimize opportunities of my opponents. My teammates used to joke and wonder how I played at the level I did. I was not particularly fast or strong, did not have particularly great hands and was not super athletic in any way. But I was quite good at programming my defense and midfield to run a repeatable process to make it very difficult for opponents to penetrate. Unlike soccer, where you are most likely going to get scored on at some point, businesses must keep a zero goals against average for their entire…